IAM Password policy should have requirement for at least one number in the password.
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | iam |
| Provider | AWS |
| Vulnerability Type | omission |
Description#
The IAM account password policy does not require users to include at least one numeric character in their passwords. This results in weaker, less complex passwords that are easier to guess or brute-force.
Impact#
Without a requirement for numbers in passwords, attackers have an easier time compromising accounts through password guessing or brute-force attacks, increasing the risk of unauthorized access to AWS resources and potential data breaches.
Resolution#
Enforce longer, more complex passwords in the policy